On 12/02/2015 11:01 AM, Inamdar Sharif wrote:
Yes the app is trying to access it own app data directory.
What more information you need so that I can gather that??
Also how to get more info??
What I think that when we do upgrade it does not label the app directory again
which leads to denial.
So, you moved the app data directory to SD before upgrading to M? Or
afterward? If afterward, did it have the correct label prior to moving it?
What's the path prefix of the app data directory?
Thanks.
-----Original Message-----
From: Stephen Smalley [mailto:[email protected]]
Sent: Wednesday, December 02, 2015 8:42 PM
To: Inamdar Sharif; [email protected]
Cc: Nick Kralevich
Subject: Re: MLS constraints blocking untrusted app to access app_data_file
On 12/02/2015 09:35 AM, Inamdar Sharif wrote:
Steps are:
1) Install the app on the device.
2)Move the app to the sdcard.
3)Try to run the app from the sdcard.----> Failed.
This happens after upgrading to Android M.
I don't think I can test that, as the only devices I have that run M are Nexus
and have no real SDcard support.
The question remains as to why the app data directory is not being labeled with
the appropriate categories That's the bug - the data directory needs to be
labeled consistently with the app. I assume btw that this is the app trying to
access its own app data directory; I can't tell that from only the information
you provided since you omitted any identifying information from the denial (and
fully determining it might require syscall audit or other logging).
Thanks.
-----Original Message-----
From: Stephen Smalley [mailto:[email protected]]
Sent: Wednesday, December 02, 2015 7:51 PM
To: Inamdar Sharif; [email protected]
Subject: Re: MLS constraints blocking untrusted app to access
app_data_file
On 12/02/2015 12:37 AM, Inamdar Sharif wrote:
Hi,
I am getting the below avc denied for almost every untrusted app
type=1400 audit(0.0:1078): avc: denied { search } for name="#" dev="#"
ino=# scontext=u:r:untrusted_app:s0:c512,c768
tcontext=u:object_r:app_data_file:s0 tclass=dir permissive=0
Usecase: Apps on SDCard try to access their files.
I know the reason about why this is happening:
1)untrusted_app and app_data_file has different security level
2)untrusted_app is not mlstrustedsubject
3)app_data_file is not mlstrustedobject
But I am not sure how I can solve this issue.
Please let me know any pointers on how to solve this issue.
Thanks.
Can you provide step-by-step instructions for reproducing the denial?
Why is the directory not labeled with the category set?
What does ls -Z of the directory show?
----------------------------------------------------------------------
------------- This email message is for the sole use of the intended
recipient(s) and may contain confidential information. Any
unauthorized review, use, disclosure or distribution is prohibited.
If you are not the intended recipient, please contact the sender by
reply email and destroy all copies of the original message.
----------------------------------------------------------------------
-------------
_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to
[email protected].
_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to
[email protected].
